According to Hansen, news of the flaw was passed along to him by a hacker with the moniker of TrainReq.

“There [are] four things of note here,” Hansen blogged. “Firstly, it’s on Google’s domain, not some other domain like Google Gadgets or something. So, yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS [Secure Sockets Layer/Transport Layer Security] (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz – as if anyone is using that product (or at least you shouldn’t be). And lastly, isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised?”

Hansen was referring to the location feature in Buzz that shows where Buzz users are when they post. This feature can be turned off by the user.

“We have no indication that the vulnerability was actively abused,” a Google spokesperson said. “We understand the importance of our users’ security, and we are committed to further improving the security of Google Buzz.”

“While the outcome was not something I would have wished for or predicted, the remedies and response of the team [have] really indicated to me that we have a great core competency at Google in terms of being able to develop social software, to be in dialogue with our users and to rapidly iterate and improve the product,” Horowitz told eWEEK.